merovix logo
Structured learning paths for mobile social casino development with practical assignments and real-world tools
Get Started

Data Processing Agreement

Last updated: October 9, 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service between merovix ("Company", "we", "us", or "our") and you ("Customer", "you", or "your") and governs the processing of personal data in connection with the services provided through merovix.online.

1. Definitions

For the purposes of this DPA:

  • Personal Data means any information relating to an identified or identifiable natural person processed by the Company on behalf of the Customer.
  • Processing means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, or deletion.
  • Data Subject means the individual to whom Personal Data relates.
  • Controller means the entity that determines the purposes and means of processing Personal Data.
  • Processor means the entity that processes Personal Data on behalf of the Controller.
  • Sub-processor means any third party engaged by the Processor to process Personal Data.

2. Roles and Scope of Processing

The parties acknowledge and agree that:

  • The Customer acts as the Controller of Personal Data.
  • The Company acts as the Processor of Personal Data.
  • The Company shall process Personal Data only on documented instructions from the Customer, unless required to do so by applicable law.
  • The subject matter, duration, nature, and purpose of processing, along with the types of Personal Data and categories of Data Subjects, are described in the Services agreement and this DPA.

3. Customer Obligations

The Customer represents and warrants that:

  • It has obtained all necessary rights, consents, and authorizations required to collect and transfer Personal Data to the Company for processing.
  • It has provided all required notices and disclosures to Data Subjects regarding the processing of their Personal Data.
  • Its instructions to the Company comply with all applicable data protection laws and regulations.
  • It will maintain appropriate documentation of its processing activities and legal basis for processing.

4. Company Obligations

The Company agrees to:

  • Process Personal Data only in accordance with the Customer's documented instructions.
  • Ensure that persons authorized to process Personal Data have committed to confidentiality.
  • Implement appropriate technical and organizational measures to ensure security of Personal Data.
  • Engage Sub-processors only with prior written authorization from the Customer.
  • Assist the Customer in responding to Data Subject requests to exercise their rights.
  • Assist the Customer in ensuring compliance with security, breach notification, and impact assessment obligations.
  • Delete or return all Personal Data to the Customer upon termination of services, unless retention is required by law.
  • Make available to the Customer all information necessary to demonstrate compliance with this DPA.

5. Security Measures

The Company shall implement and maintain appropriate technical and organizational security measures, including but not limited to:

  • Encryption of Personal Data in transit and at rest where appropriate.
  • Regular security assessments and vulnerability testing.
  • Access controls ensuring Personal Data is accessible only to authorized personnel.
  • Security incident detection and response procedures.
  • Regular backup and disaster recovery capabilities.
  • Physical security measures for systems storing Personal Data.
  • Employee training on data protection and security practices.

6. Sub-processors

The Customer provides general authorization for the Company to engage Sub-processors to process Personal Data, subject to the following conditions:

  • The Company shall provide the Customer with at least thirty days' notice of any intended changes concerning the addition or replacement of Sub-processors.
  • The Customer may object to the engagement of a new Sub-processor on reasonable grounds within fourteen days of such notice.
  • The Company shall impose data protection obligations on Sub-processors that provide at least the same level of protection as this DPA.
  • The Company remains fully liable to the Customer for the performance of any Sub-processor's obligations.

7. Data Subject Rights

The Company shall, to the extent legally permitted and taking into account the nature of processing:

  • Promptly notify the Customer if it receives a request from a Data Subject to exercise their rights under applicable data protection laws.
  • Provide reasonable assistance to enable the Customer to respond to such requests within required timeframes.
  • Not respond directly to Data Subject requests without the Customer's prior written authorization.
  • Implement appropriate technical measures to facilitate the Customer's compliance with Data Subject rights, including access, rectification, erasure, restriction, portability, and objection.

8. Data Breach Notification

The Company shall:

  • Notify the Customer without undue delay and in any event within forty-eight hours after becoming aware of any Personal Data breach.
  • Provide the Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the breach under applicable data protection laws.
  • Provide timely information relating to the breach as it becomes available, including the nature of the breach, affected data categories and Data Subjects, likely consequences, and measures taken or proposed to address the breach.
  • Cooperate with the Customer and take reasonable steps to remediate the breach and prevent future occurrences.

9. Data Protection Impact Assessment

Upon request, the Company shall provide reasonable assistance to the Customer in conducting data protection impact assessments and prior consultations with supervisory authorities where required under applicable data protection laws.

10. Audits and Inspections

The Company shall:

  • Make available to the Customer information necessary to demonstrate compliance with obligations under this DPA.
  • Allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.
  • Provide reasonable notice requirements and ensure audits do not unreasonably interfere with business operations.
  • Allow the Customer to verify compliance through documented certifications, third-party attestations, or other appropriate means as an alternative to on-site audits.

11. International Data Transfers

If Personal Data is transferred outside the jurisdiction where it was collected:

  • The Company shall ensure appropriate safeguards are in place as required by applicable data protection laws.
  • Such safeguards may include standard contractual clauses, adequacy decisions, or other legally recognized transfer mechanisms.
  • The Company shall provide the Customer with information about transfer mechanisms upon request.
  • The Customer consents to such transfers provided appropriate safeguards are maintained.

12. Return and Deletion of Data

Upon termination or expiration of the Services:

  • The Company shall, at the Customer's choice, delete or return all Personal Data to the Customer within thirty days.
  • The Company shall certify in writing that it has complied with this obligation.
  • The Company may retain Personal Data to the extent required by applicable law, provided such data remains subject to confidentiality obligations.
  • Following deletion, the Company shall have no obligation to retain or provide copies of Personal Data.

13. Records and Documentation

The Company shall maintain complete and accurate records of all processing activities carried out on behalf of the Customer, including:

  • The categories of processing carried out.
  • Technical and organizational security measures implemented.
  • Details of Sub-processors engaged.
  • Records of Data Subject requests and Personal Data breaches.

14. Limitation of Liability

Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set forth in the Terms of Service. Nothing in this DPA shall limit or exclude either party's liability for matters that cannot be limited or excluded under applicable law.

15. Term and Termination

This DPA shall commence on the effective date of the Services agreement and continue until the termination or expiration of all Services involving the processing of Personal Data. The obligations under this DPA shall survive termination to the extent necessary to comply with applicable data protection laws.

16. Amendments

The Company may amend this DPA from time to time to reflect changes in data protection laws, regulatory guidance, or processing practices. Material changes will be communicated to the Customer with at least thirty days' notice. Continued use of the Services following such notice constitutes acceptance of the amended DPA.

17. Conflict

In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters. In all other respects, the Terms of Service remain in full force and effect.

18. Governing Law

This DPA shall be governed by and construed in accordance with the same governing law provisions as set forth in the Terms of Service.

19. Contact Information

For questions or concerns regarding this Data Processing Agreement, please contact us at:

merovix
78A Ty'n-Y-pwll Rd
Cardiff CF14 1AT
United Kingdom
Email: support@merovix.online
Phone: +441772379110